Microsoft Lets Agencies Test Government-Only Cloud

Microsoft lets federal agencies take its newly operational Azure for Government for a "shakedown cruise."

(Click image for larger view.)

Slideshow: Top 20 Government Cloud Service Providers.

Microsoft has begun giving a select group of federal customers the chance to put Microsoft's new government-only cloud service through a series of private tests. "The processes, people, technology, and infrastructure are all in place. We want real-world test loads," for a shakedown cruise, said Greg Myers, VP of federal sales, in announcing the news Tuesday at Microsoft's US Public Sector Federal Executive Forum in Washington.

Although Microsoft's commercial Azure cloud offering has received authority to operate under the FedRAMP program for cloud services, the new government platform -- announced last fall and called Azure for Government -- has not yet been certified.

The government-only offering is housed in two specially constructed datacenters located in the United States and isolated physically and logically from the public cloud. All personnel will be US citizens screened for moderate public trust clearance and the servers will house only data from federal, state, and local government customers. The new platform, although operational, is not finished and will keep evolving to provide enhanced security, said Myers.

"We see this as a dynamic environment," he said. "It is very labor intensive, very capital intensive. It's not an environment for the weak."

A dynamic system is necessary to provide adequate security, because defense in modern, complex systems requires the ability to respond and adapt, said David Aucsmith, senior director of Microsoft's Institute for Advanced Technology for Governments.

John Pepper, computing and network services director at Sandia National Laboratories, talks about using unified communications at Microsoft's US Public Sector Federal Executive Forum.

Aucsmith, an author of the Defense Department's 1985 Orange Book, Trusted Computer System Evaluation Criteria, said at the federal forum that after 30 years of trying, "I do not believe you can create a secure computer system."

The complexity of IT systems makes it impossible to understand them fully, and this complexity makes it impossible to specify conditions and requirements with enough granularity to ensure security, he said. Testing and built-in processes are necessary but not sufficient to ensure security.

Because "we don't know what we don't know," any static system will become vulnerable to an adversary, Aucsmith added. The only effective defense requires the ability to recognize and respond to threats, which includes keeping systems fully patched and up-to-date.

Because patching and updating IT systems in a large enterprise is complex and time consuming, cloud platforms can provide enhanced security because dedicated staff can handle these jobs for multiple customers, and usually deploy them more quickly, he said. Patches represent a healthy way to combat adversaries. But if enterprises don't apply the patches quickly -- within about five days of release -- hackers can get the upper hand by exploiting the vulnerabilities revealed by patches.

"Hackers today are better organized, certainly better financed, and outcome driven," said forum guest speaker Tom Ridge, the former Pennsylvania governor who helped lead the creation of the Homeland Security Department. "There's still some people in the private sector that see a (cyber threats) as an IT problem instead of a business risk."

Azure for Government initially will host workloads with higher security clearances than usual and will not take the place of the commercial Azure offering, which still will be available to government customers. But Myers said that eventually the new platform would become the default for all government customers.

There is no timeline for general availability of the new offering, but the next step in the rollout, a public preview, is expected in late spring.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

William Jackson is writer with the <a href="http://www.techwritersbureau.com" target="_blank">Tech Writers Bureau</A>, with more than 35 years' experience reporting for daily, business and technical publications, including two decades covering information ... View Full Bio

To my understanding the government-only cloud is a kind of private cloud with enhanced security. Here the similar kind of thing happens in China. The government agencies use cloud computing widely but all come from local vendors in the form of private cloud. For the cloud service provider, it would be a good thing to win government procurement deal - compared to hardware offering, the cloud computing service offering more a kind of long-lasting business.:-)

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.